User Sign-in

Looking for the AWS SDKs for iOS and Android? These SDKs and their docs are now part of AWS Amplify.

The content on this page applies only to apps that were configured using AWS Mobile
Hub or awsmobile CLI. For existing apps that use AWS Mobile SDK prior to v2.8.0, we
highly recommend you migrate your app to use AWS Amplify and the latest SDK.

Feature Details

The following image shows a resource access policy being enforced for an unauthenticated
user.

The following image shows a resource access policy being enforced for an authenticated
user.

This feature enables you to configure how your users gain access to AWS resources
and services used
by your app, either with no sign in process or through authentication provided by
one or more
identity providers. In both cases, AWS identity creation and credentials are provided
by Amazon
Cognito Identity, and access authorization comes through AWS Identity
and Access Management (IAM).

When you create a project, Mobile Hub provisions the AWS identity, user role, and
access policy
configuration required to allow all users access to unrestricted resources. When you
add the User
Sign-in feature to your app, you are able to restrict access to allow only those who
sign in with
credentials validated by an identity provider to use protected resources. Through
Amazon Cognito Identity, your app
user obtains AWS credentials to directly access the AWS services that you enabled
and configured for
your Mobile Hub project. Both authenticated and unauthenticated users are granted
temporary,
limited-privilege credentials with the same level of security enforcement.

Amazon Cognito can federate validated user identities from multiple identity providers
to a single AWS
identity. Mobile Hub helps you integrate identity providers into your mobile app so
that users can sign
in using their existing credentials from Facebook, Google, and your own identity system.
You can
also create and configure your own email- and password-based user directory using
Amazon Cognito Your User
Pools.

Configuring User Sign-in

User Sign-in Providers

If you already have a registered Facebook app, copy the App ID from the Facebook Developers
App Dashboard. Paste the ID into the Facebook App ID field and choose Save Changes.

If you do not have a Facebook App ID yet, you'll need to create one before you can
integrate Facebook in your mobile app. The Facebook Developers portal takes you through
the process of setting up your Facebook application.

If you already have a registered Google Console project with the Google+ API, a web
application OAuthClient and a client ID for the platform of your choice set up, then
copy and paste the Google Web App Client ID and client ID(s) from the Google Developers
Console into those fields and choose Save Changes.

Regardless of the platform you choose (Android or iOS), you'll need to at least create
the following.

A Google Console project with the Google+ API enabled (used for Google Sign-in)

A web application OAuth client ID

An iOS and/or Android client ID, depending on which platform you are supporting

Choose Email and Password sign-in when you want to create your own AWS-managed user
directory and sign-in process for your app's users. Configure the characteristics
of their sign-in experience by:

Selecting user login options (email, username, and/or phone number)

Enabling multi-factor authentication (none, required, optional) which adds delivery of an entry code via text message to a user's phone, and
a prompt to enter that code along with the other factor to sign-in

SAML 2.0 (Security Assertion Markup Language 2.0) is an open standard used by many
IdPs, including Microsoft Active Directory Federation Service and Shibboleth. Your
IdP must be SAML 2.0 compatible to use this Mobile Hub option. To establish federation
between AWS and your IdP the two systems must exchange SAML federation metadata. AWS
federation metadata can be found at https://signin.aws.amazon.com/static/saml-metadata.xml. This xml file demonstrates the form that your IdP's metadata should take. For more
information on SAML federation metadata for your IdP, see Integrating Third-Party SAML Solution Providers with AWS.

To implement this exchange:

View your IdP's documentation to understand how to use the AWS federation metadata
file to register AWS as a service provider.

User Sign-in Requirement

Users have the option to sign in (authenticate) with your chosen sign-in identity
provider(s) or users can skip sign-in (unauthenticated). Your app receives temporary,
limited privilege access credentials from Amazon Cognito Identity as either an authenticated
user or an unauthenticated guest user so that your app can access your AWS services
securely.

Sign-in is required

Users are required to sign in with one of your chosen sign-in providers. Your app
receives temporary, limited privilege access credentials from Amazon Cognito Identity
as an authenticated user so that your app can access your AWS services securely.

Note

If user sign-in is not required, unauthenticated users can access to data in your
database
tables and files in your storage buckets, unless those resources are explicitly restricted
through another mechanism.

User Sign-in and AWS Identity and Access Management (IAM)

When your mobile app is saved, Mobile Hub creates an Amazon Cognito identity pool
and a new IAM role. These
are used to generate temporary AWS credentials for the quickstart app users to access
your AWS
resources. The AWS IAM role security policies are updated based on the sign-in features
enabled.

At this point, your mobile project is set up for users to sign in. Each chosen identity
provider has
been added to the login screen of the quickstart app.

Viewing AWS Resources Provisioned for this Feature

Quickstart App Details

In the Mobile Hub quickstart app, the User Sign-in demo enables users to use features
that access AWS
resources without authentication or by signing in to the app via identity providers
including
Facebook, Google, SAML Federation or Email and Password.

When you add User Sign-in to your project with the Optional Sign-in option, choosing the
app's quickstart sign-in demo returns and displays the user's Amazon Cognito Identity
Pool ID. This
identifier is associated with the app instance's device currently accessing AWS resources.

When you add User Sign-in to your project with Required Sign-in, choosing the app's
quickstart sign-in demo displays a sign-in experience branded to match the identity
provider(s)
configured in the project. Signing in to the demo authenticates the user in the selected
identity
provider service and returns and displays the Amazon Cognito Identity Pool ID identifier
of the user.

Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's
Help pages for instructions.